Microsoft has released January Patch Tuesday security updates today, fixing 49 common vulnerabilities and exposures (CVEs) in the family of Windows operating systems and related products which includes Windows, Office, Office Services and Web Apps, Internet Explorer, .NET Core, ASP.NET, .NET Framework, OneDrive for Android, and Microsoft Dynamics. Out of these, 8 are classified as “Critical” and 41 as “Important”.
Amongst the 8 critical vulnerabilities, there is one vulnerability that has drawn our attention. CVE-2020-0601 was reported to Microsoft by the U.S. National Security Agency.
Windows CryptoAPI Spoofing Vulnerability|CVE-2020-0601:
A spoofing vulnerability exists in the manner Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. The certificate validation vulnerability allows an attacker to undermine Public Key Infrastructure (PKI) trust and can enable remote code execution.
The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.
To exploit the vulnerability, an attacker could use a spoofed code-signing certificate to sign a pernicious executable, causing it to show up the document was from a trusted, authentic source. The user would have no chance to realize the file was noxious, because the digital signature would appear to be from a trusted provider.
Successful exploitation of the vulnerability could allow a remote attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
A few examples where validation of trust may be affected include HTTPS connections, Signed files, and emails, Signed executable code launched as user-mode processes.
As usually, Microsoft has patched “3” critical RCEs in Remote Desktop Gateway and Remote Desktop Client
Remote Desktop Client Remote Code Execution Vulnerability|CVE-2020-0611:
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server.
To exploit this vulnerability, an attacker would need to have control of a server and afterward persuade a client to connect to it. An attacker would need to trick the user to connect to the noxious server via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique. An attacker could also compromise a real server, host malevolent code on it, and wait for the user to connect.
An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway). These vulnerabilities are pre-authentication and require no user interaction from the server owner.
To exploit these vulnerabilities, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.
Successful exploitation of the vulnerability could allow a remote attacker to execute arbitrary code on the target system. Also, an attacker could then install programs, modify or delete data, or create new accounts with full user rights.
Other Interesting Vulnerabilities
- Internet Explorer Memory Corruption Vulnerability|CVE-2020-0640:
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This could corrupt the memory so that an attacker could execute arbitrary code in the context of the current user.
To exploit this vulnerability, an attacker would have to host a maliciously crafted website devised to exploit the vulnerability through Internet Explorer and then persuade a user to visit the website.
Successful exploitation of the vulnerability could allow an attacker to gain the same user rights as the current user and if the current user is logged on with administrative user rights, the attacker could take control of an affected system fully. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
As Microsoft has announced, the support for Windows 7, Windows Server 2008 R2, and Windows Server 2008 ends today and that the patches released today, covering 22 CVEs for these systems, are the last they’ll get.
Product :Microsoft Windows
CVEs/Advisory:CVE-2020-0601, CVE-2020-0607, CVE-2020-0608, CVE-2020-0609, CVE-2020-0610, CVE-2020-0611, CVE-2020-0612, CVE-2020-0613, CVE-2020-0614, CVE-2020-0615, CVE-2020-0616, CVE-2020-0617, CVE-2020-0620, CVE-2020-0621, CVE-2020-0622, CVE-2020-0623, CVE-2020-0624, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633, CVE-2020-0634, CVE-2020-0635, CVE-2020-0636, CVE-2020-0637, CVE-2020-0638, CVE-2020-0639, CVE-2020-0641, CVE-2020-0642, CVE-2020-0643, CVE-2020-0644,
Impact :Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing
KBs:4528760, 4534271, 4534273, 4534276, 4534283, 4534288, 4534293, 4534297, 4534303, 4534306, 4534309, 4534310, 4534312, 4534314
Product :Internet Explorer
Impact :Remote Code Execution
KBs:4528760, 4534251, 4534271, 4534273, 4534276, 4534283, 4534293, 4534297, 4534303, 4534306, 4534310
Product: Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory:CVE-2020-0647, CVE-2020-0650, CVE-2020-0651, CVE-2020-0652, CVE-2020-0653, CVE-2020-0654
Impact: Remote Code Execution, Security Feature Bypass, Spoofing
KBs:4484217, 4484221, 4484223, 4484227, 4484234, 4484236, 4484243
Product: .NET Core
Impact :Remote Code Execution
Severity : Critical
Product : .NET Framework
CVEs/Advisory: CVE-2020-0605, CVE-2020-0606, CVE-2020-0646
Impact :Remote Code Execution
KBs:4532933, 4532935, 4532936, 4532938, 4534271, 4534293, 4534306, 4534976, 4534977, 4534978, 4534979, 4535101, 4535102, 4535103, 4535104, 4535105